[revelation]

Certainly the conclusion can't be that the legality of your actions depends on the reaction of an automated system at the other end of a pipe that you don't control?

I have no problem with basing it off intent, but the focus should be on prosecuting whoever put that data out there in the first place with gross negligence.

[tptacek]

The legality of your actions depends on whether you know, as you interact with the automated system, that you have managed to find a path to data that you should not have had access to.

So, if by incrementing ICC-IDs, you found random technical data about AT&T provisioning, it would be very hard to argue that you were knowingly accessing it without authorization. But when the information you find is so personal that your first instinct is chat about selling it to spamming rings, you are on considerably less safe footing.

I am ambivalent about software liability. Vulnerable software is much more common than most people think it is, and it would be a shame if ill-conceived liability rules created a situation for startups analogous to that of medical malpractice insurance. On the other hand, liability laws would be hugely lucrative for me.

[Volpe]

Putting the burden on a user to "know" whether they are authorized or not, seems crazy. Even if they talked about selling to spammers.

Hypothetically the police give me a Police report number that I can access at police.gov/crimes/:reportno I discover if I increment/decrement these I can get ALL reports. I then build a cool mashup of crimes in the area on a google map. It turns out the police didn't intend that, am I now a criminal (because of the polices intent)?

[twoodfin]

Indeed, it's a judgment call. That's why we have judges and juries.